Some video sharing websites use a third party authentication service in order to decide whether a particular user can view a particular video. Thus, the third party authentication service can be used to provide access control for certain premium content. The third party authentication service can provide the infrastructure and can mediate the interaction between the user and their television provider. If the user can access the content on the television, the user can also access the content online. Once the user is authenticated to the third party authentication service, the user is able to generate authorization tokens for particular videos, which are passed on to the video sharing website(s), which verifies the authorization token using a library provided by the third party.
The tokens can have a validity period, such as five minutes. The user can start watching a video within the validity period and can continue to watch the video in its entirely once authorized. An issued token can be used any number of times during the validity period and there are no additional authorizations supplied to the video sharing website. Thus, the token is the only mechanism used to allow the video playback. This can create a security vulnerability where a malicious user possessing appropriate credentials could set up a system to redistribute the tokens, allowing any number of unauthorized users to access the video within the validity period. Alternatively, a token from a regular user can be stolen and reused, resulting in the same problem.
The above is a general problem that can be inherent to a system that provides authorization using tokens that are verified based on cryptographic signatures and timestamp only, where the token can be reused any number of times within its validity period.